SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f314dccf53fb8902f0efbc67d723c43cc9aba843
SilverMetal/linux/build/runner/config.yaml
SysAdmin ec942b7698
Some checks failed
Build SilverMetal Linux ISO (reproducibility-gated) / builder-image (push) Successful in 1s
Details
Build SilverMetal Linux ISO (reproducibility-gated) / build-and-verify (push) Failing after 1m24s
Details
fix(linux/build): bind only config.json, not whole /root/.docker (M1.1 iter20) 
Run #4267 finally got the bind mount through (Merged Binds includes
/root/.docker:/root/.docker:ro), but docker build then died:

    failed to update builder last activity time:
    open /root/.docker/buildx/activity/.tmp-...: read-only file system

The catthehacker job container uses buildx, which writes activity
tracking to /root/.docker/buildx/. Mounting the whole host /root/.docker
read-only made that path read-only too.

Right scope is the file, not the dir:
    -v /root/.docker/config.json:/root/.docker/config.json:ro

That gives the cli the registry auth it needs while leaving the rest
of /root/.docker on the container's writable overlay so buildx can
populate its own activity dir without colliding with the host's. Also
matches the principle of mounting the minimum the secret requires.

valid_volumes entry updated to match.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 17:52:35 +01:00

52 lines
2.3 KiB
YAML
Raw Blame History

# Gitea act_runner config for the silvermetal-builder runner.
#
# Two ISO builds back-to-back at ~60-90 minutes each = workflow runtime
# floor of ~3h. Default 60m timeout would trip mid-build.
log:
level: info
runner:
capacity: 1 # one reproducibility-gated build at a time
timeout: 240m # 4h ceiling per job — covers two builds + diffoscope
fetch_timeout: 5s
fetch_interval: 2s
container:
network: host
privileged: true # required: live-build needs loop devices + chroot
# `valid_volumes` is an allowlist of **source paths** (globs), not full
# bind specs. Listing "/root/.docker:/root/.docker:ro" here makes the
# runner silently drop the bind from container.options with
# "[/root/.docker] is not a valid volume, will be ignored" — because
# the literal pattern "/root/.docker:/root/.docker:ro" doesn't match
# the bind source "/root/.docker". Source paths only:
valid_volumes:
- /cache
- /var/run/docker.sock
- /root/.docker/config.json
# `options` is applied on top of act_runner's default per-job-container
# docker run args. /var/run/docker.sock is auto-mounted by act_runner
# already; listing it here a second time triggers
# "Duplicate mount point" on container create. So options carries ONLY
# what act_runner doesn't provide: the host's docker-registry.silverlabs.uk
# credentials, which catthehacker/ubuntu:act-latest's docker-cli reads
# from /root/.docker/config.json for `docker push`. Without it the push
# fails with "no basic auth credentials" even though `docker build`
# over the DooD socket works fine.
#
# We mount the FILE (not the directory) read-only:
# - ro is essential — config.json is the host's actual creds file.
# - file-only (not /root/.docker:ro) keeps /root/.docker writable on the
# container's own overlay so buildx can write its activity tracking
# to /root/.docker/buildx/. Mounting the whole dir :ro broke run #4267
# with "failed to update builder last activity time: …read-only
# file system".
options: -v /root/.docker/config.json:/root/.docker/config.json:ro
# Cache the silvermetal-builder image locally after first pull. Bumping
# the image digest in BUILDER_IMAGE invalidates and re-pulls automatically.
force_pull: false
host:
workdir_parent: /data/cache/actions
Reference in New Issue View Git Blame Copy Permalink